A sample working configuration is included for you to compare against your configuration.
This article is a part of the Dynamic VPN Resolution Guide: KB17220 – Resolution Guide – SRX – Troubleshoot Pulse VPN connections to SRX.
Symptoms:
Pulse client is not connecting to SRX, due to a configuration error.
Cause:
Solution:
If your Pulse client is not connecting to the SRX device, then first follow the steps in KB23031 – [SRX] Pulse client connection status is ‘Disconnected’, and it may refer you to this article to confirm your configuration.
Below is a working configuration for a Pulse client connected to an SRX. Problem areas in the config are highlighted for you to compare with your config.
system
system { root-authentication { encrypted-password "xyzxyzasdasdabcabc"; } services { web-management { https { system-generated-certificate; interface fe-0/0/0.0; ## Specifying the interface is optional } } } }
interfaces
interfaces {
fe-0/0/0 {
unit 0 {
family interface {
## Listed IP should be entered as the Server URL in Pulse if fe-0/0/0 is IKE external interface
address 1.1.1.1/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
}
security
security { ike { proposal ike-prop1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm des-cbc; lifetime-seconds 86400; } ## Remember to set the mode to aggressive, else "IKE negotiations fail" policy ike-dyn-vpn-policy { mode aggressive; proposals ike-prop1; pre-shared-key ascii-text "asdasdxyzxyz##$$%%^"; ## SECRET-DATA } ## Make sure the correct IKE Policy is specified gateway dyn-vpn-local-gw { ike-policy ike-dyn-vpn-policy; dynamic { hostname dynvpn; ## connection limit should not be greater # of installed licenses connections-limit 2; ike-user-type group-ike-id; } ## Make sure to specify the correct egress interface toward client external-interface fe-0/0/0.0; xauth access-profile dyn-vpn-access-profile; } } ipsec { proposal ipsec-prop2{ protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm des-cbc; lifetime-seconds 3600; } policy ipsec-policy { perfect-forward-secrecy { keys group2; } proposals ipsec-prop2; } vpn dyn-vpn { ike { gateway dyn-vpn-local-gw; ipsec-policy ipsec-policy; } } } ## Bind the Access profile with the Dynamic-VPN dynamic-vpn { access-profile dyn-vpn-access-profile; clients { all-clients { remote-protected-resources { 192.168.0.0/24; ## Specify which traffic should go thru VPN } remote-exceptions { 0.0.0.0/0; } ## Specify the correct IPSEC VPN name ipsec-vpn dyn-vpn; user { ## Username list should match the client names in [access] portion of config or defined on radius server user1; user2; } } } } policies { ## Direction should be from outside to inside from-zone untrust to-zone trust { policy pol-dyn-vpn { match { source-address any; destination-address any; application any; } then { permit { tunnel { ## Specify the correct IPSEC VPN name ipsec-vpn dyn-vpn; } } } } } } zones { security-zone untrust { interfaces { fe-0/0/0.0 { host-inbound-traffic { ## IKE and HTTPS are mandatory on the external interface system-services { ike; https; } } } } } security-zone trust { interfaces { fe-0/0/7.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } } }
access
access
{
profile dyn-vpn-access-profile {
client user1 {
firewall-user {
password "$9$bns4JGUH"; ## SECRET-DATA
}
}
client user2 {
firewall-user {
password "$9$km5FCt0c": ## SECRET-DATA
}
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 192.168.1.0/24;
xauth-attributes primary-dns 4.2.2.2/32;
}
}
}
firewall-authentication {
web-authentication {
default-profile dyn-vpn-access-profile; ##Specify the profile name defined under [edit access]
}
}
For more information on the above configuration fields, refer to:
If the problem is still not resolved after completing the steps above, collect the information listed in KB21781-[SRX]Data Collection Checklist – Logs/data to collect for troubleshooting, and open a case with your technical support representative. (Note the ‘IPSec – Dynamic VPN’ section for the additional data to collect.)
Related Links:
© 1999 – 2017 Juniper Networks, Inc. All rights reserved
Original source:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB22980&actp=METADATA